mekhanique
commented
7 months ago Suggest using artifact.quarantined rather than artifact.pulled; quarantined makes clearer that it was related to a security issue IMO.
Closed afrittoli closed 3 months ago
mekhanique
commented
7 months ago Suggest using artifact.quarantined rather than artifact.pulled; quarantined makes clearer that it was related to a security issue IMO.
afrittoli
commented
7 months ago Thanks @mekhanique, the artifact.pulled event is meant to track artifact download events (so a counterpart of the artifac pushed event).
We could add a quarantine event too if that's something registries implement.
mekhanique
commented
7 months ago Well, those aren't the same then :-). I'd suggest artifact.downloaded over artifact.pulled in that case; the name is more self explanatory this way.
Re: artifact.quarantined -- Yes, we quarantine malicious versions of dependencies. Having the event allows for a history around the version to be kept (in an event store for records purposes). Leaving the artifact in a local non-resolvable repository also helps to provide further information around downloads, etc. This is highly useful in regulated environments such as med tech. There are a few ways one can "implement" a quarantine system w/ a repository system, but it's not a "first class feature". Some folks use Bytesafe, JFrog Curation as a front end, but naturally those services cost money. A simple (and free-ish) way of doing this is to create a local resolvable repository to which you post a bogus artifact with the same coordinates as the malicious artifact. You then ensure that this local repository is ahead of your remote repo in your resolution order for your virtual repository (i.e. the repo everyone actually resolves things from). This, of course, presumes you're running a local repository service; such as Artifactory, Nexus or the like. It also requires a tool such as Dependency Track or its ilk to create events upon which an action can be based to perform this quarantine process.
I'd like to further point out an approach that I think makes a lot of sense; making auditing a first class citizen. All highly regulated and security concious environments require heavy event logging. Ensuring that all designs take this into account will be of great benefit to users.
e-backmark-ericsson
commented
3 months ago Closed as finished, while some remainders will be handled in #195
We may need to add to the
artifact.pulledevent we have today to facilitate the CDEvents adoption by Harbor and other registries - see https://github.com/goharbor/community/pull/229 from more details.